Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency aiohttp to v3.10.2 [SECURITY] #3933

Merged
merged 1 commit into from
Sep 16, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 16, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.9.5 -> 3.10.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.


Patch: https://github.com/aio-libs/aiohttp/pull/8653/files


Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2

Compare Source

===================

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    :issue:8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    :issue:8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8634.


v3.10.1

Compare Source

v3.10.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Test Links:

Landing Page
MoreCast
Percentile Calculator
C-Haines
FireBat
FireBat bookmark
Auto Spatial Advisory (ASA)
HFI Calculator

Copy link

codecov bot commented Sep 16, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.35%. Comparing base (ee2b077) to head (b468ab3).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3933   +/-   ##
=======================================
  Coverage   81.35%   81.35%           
=======================================
  Files         298      298           
  Lines       11421    11421           
  Branches      546      546           
=======================================
  Hits         9292     9292           
  Misses       2094     2094           
  Partials       35       35           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 2ebfe38 to 011597e Compare September 16, 2024 21:11
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from d4f64aa to b468ab3 Compare September 16, 2024 21:57
Copy link

sonarcloud bot commented Sep 16, 2024

@conbrad conbrad temporarily deployed to production September 16, 2024 22:28 Inactive
@conbrad conbrad merged commit dc4697e into main Sep 16, 2024
25 checks passed
@conbrad conbrad deleted the renovate/pypi-aiohttp-vulnerability branch September 16, 2024 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant